| title | Security Architecture |
|---|---|
| description | SINT Protocol's defense-in-depth security model — from cryptographic primitives to runtime enforcement. |
| sidebarTitle | Security |
SINT Protocol implements defense-in-depth security across every layer: cryptographic identity, capability-based access control, runtime policy enforcement, anomaly detection, and tamper-evident audit logging.
This page documents the actual security controls implemented in sint-ai/sint-protocol — verified against source code, not aspirational.
| Asset | Examples | Protection |
|---|---|---|
| Physical Actuators | Robot arms, drones, vehicles | Capability tokens + constraint enforcement |
| Agent Credentials | Ed25519 keypairs, delegation chains | Hardware-backed key generation, token expiry |
| Audit Trail | Evidence ledger, hash chain | SHA-256 append-only chain, proof receipts |
| Policy Configuration | Tier definitions, geofences, force limits | API key-protected admin endpoints |
| Runtime State | Active tokens, approval queues, rate limits | In-memory isolation, per-key rate limiting |
| Vector | Attack Example | Mitigation |
|---|---|---|
| Token forgery | Crafting a fake capability token | Ed25519 signature verification (@noble/ed25519) |
| Privilege escalation | Child token exceeding parent permissions | Attenuation-only delegation with Math.min() enforcement |
| Constraint bypass | Exceeding force/velocity limits | Runtime Math.min(token_limit, envelope_limit) on every intercept |
| Goal hijacking | Prompt injection to override safety policy | 25+ regex pattern detector with confidence scoring |
| Replay attacks | Reusing expired tokens | Timestamp validation, token expiry enforcement |
| Audit tampering | Modifying evidence records | SHA-256 hash chain with genesis hash, integrity verification |
| Gateway bypass | Reaching actuators without policy check | Single intercept() entry point, no alternate code paths |
| Tier manipulation | Downgrading safety tier to avoid controls | Monotonic tier escalation only (tiers never decrease) |
All agent identity is based on Ed25519 public key cryptography via the audited, zero-dependency @noble/ed25519 library.
Source: packages/capability-tokens/src/crypto.ts
| Operation | Implementation | Notes |
|---|---|---|
| Key generation | ed25519.utils.randomPrivateKey() |
32-byte random private key |
| Signing | ed25519.sign(message, privateKey) |
Deterministic signatures |
| Verification | ed25519.verify(signature, message, publicKey) |
Constant-time comparison |
interface SintCapabilityToken {
agentId: string; // Ed25519 public key (hex)
resource: string; // Target resource identifier
action: string; // Permitted action
constraints: {
force_newtons?: number;
velocity_mps?: number;
temperature_celsius?: number;
geofence?: [number, number][]; // Polygon vertices
joint_angles?: Record<string, [number, number]>;
};
tier: 1 | 2 | 3 | 4 | 5;
expiry: number; // Unix timestamp
delegationChain: string[]; // Parent token signatures
signature: string; // Ed25519 signature (hex)
}Tokens can be delegated up to 3 levels deep. Each delegation enforces attenuation only — child tokens can never exceed parent permissions:
Source: packages/capability-tokens/src/delegator.ts
// Constraint attenuation — always Math.min
force: Math.min(parent.force, requested.force)
velocity: Math.min(parent.velocity, requested.velocity)
tier: Math.max(parent.tier, requested.tier) // Higher tier = more restrictedThe gateway server (apps/gateway-server/src/middleware/auth.ts) implements three authentication layers:
| Path Type | Auth Method | Enforced On |
|---|---|---|
| Exempt | None | /v1/health, /v1/keypair, /.well-known/sint.json, /v1/openapi.json, /v1/schemas |
| Agent | Ed25519-Signature header | POST/PUT/PATCH on non-admin routes |
| Admin | X-API-Key header | /v1/tokens, /v1/tokens/revoke, /v1/ledger, /v1/approvals |
Ed25519 Signature Header Format:
Ed25519-Signature: <publicKeyHex>:<signatureHex>
The agent signs the raw JSON request body. The gateway verifies the signature before processing.
Per-key rate limiting (100 requests/minute default) with in-memory bucket tracking:
Source: apps/gateway-server/src/middleware/auth.ts → rateLimit()
Response headers:
X-RateLimit-Limit— Maximum requests per windowX-RateLimit-Remaining— Requests remainingX-RateLimit-Reset— Window reset timestamp
Every action request passes through a single pipeline with no bypass paths:
Source: packages/policy-gateway/src/gateway.ts → intercept()
The emergency stop mechanism is invariant I-G2 — it preempts all other processing:
- CSML anomaly score above threshold → automatic trip
- Manual trip via API → immediate halt
- Recovery requires explicit reset with admin authorization
Source: packages/evidence-ledger/src/writer.ts
Every event in the evidence ledger includes a SHA-256 hash of the previous event, forming a tamper-evident chain:
// Hash computation (excluding hash field itself)
function computeEventHash(event: Omit<SintLedgerEvent, "hash">): SHA256 {
const bytes = new TextEncoder().encode(JSON.stringify({
sequenceNumber: event.sequenceNumber,
timestamp: event.timestamp,
previousHash: event.previousHash,
// ... all event fields
}));
return bytesToHex(sha256(bytes));
}| Property | Implementation |
|---|---|
| Genesis hash | Fixed constant, serves as chain anchor |
| Append-only | LedgerWriter only exposes append(), no update/delete |
| Integrity check | verifyChain() walks the entire chain, verifying each previousHash pointer |
| Proof receipts | generateProof() produces a hash chain subset proving event inclusion |
Source: packages/evidence-ledger/src/siem-exporter.ts
The ledger supports exporting events to Security Information and Event Management systems for enterprise integration.
Source: packages/evidence-ledger/src/chain-of-custody.ts
Maintains provenance tracking for physical assets and data flows through the system.
| Tier | Name | Requirements | Constraints |
|---|---|---|---|
| T1 | Sandbox | Simulation only | No physical actuation |
| T2 | Guarded | Human-in-the-loop approval | velocity < 0.5 m/s |
| T3 | Supervised | Continuous monitoring + alerts | force < 50 N |
| T4 | Autonomous | Full audit trail, no human gate | All constraints enforced |
| T5 | Unsupervised | Classified clearance | Military/space applications |
SINT Protocol maps its controls to the OWASP Agentic Security Initiative framework:
Source: packages/core/src/constants/compliance.ts
Coverage includes identity verification, capability scoping, runtime monitoring, audit logging, and incident response — with compliance mapping to SOC2, ISO 27001, and emerging AI safety regulations.
As of April 2026, pnpm audit reports 0 vulnerabilities across the entire monorepo.
| Dependency | Previous Issue | Resolution |
|---|---|---|
esbuild |
GHSA-67mh (dev server CORS bypass) | Upgraded to ≥0.25.0 |
path-to-regexp |
GHSA-j3q9, GHSA-27v5 (ReDoS) | Override to ≥8.4.0 |
picomatch |
GHSA-c2c7, GHSA-3v7f (ReDoS, POSIX injection) | Override to ≥4.0.4 |
- All dependencies pinned via
pnpm-lock.yaml - Zero-dependency cryptographic libraries (
@noble/ed25519,@noble/hashes) - Turborepo build cache for reproducible builds
- CI runs
pnpm auditon every PR
If `SINT_API_KEY` is not set, admin endpoint authentication is **skipped** (dev mode). Always set this in production.
| Item | Required | Notes |
|---|---|---|
Set SINT_API_KEY |
✅ | Admin endpoint auth |
Set SINT_STORE=postgres |
✅ | Persistent evidence storage |
Set SINT_CACHE=redis |
Recommended | Token cache + rate limiting |
| Enable TLS termination | ✅ | Reverse proxy (nginx, Caddy, Cloudflare) |
| Configure rate limits | Recommended | Default: 100 req/min/key |
| Set token expiry policy | ✅ | Don't issue long-lived tokens |
| Enable SIEM export | Recommended | Enterprise audit compliance |
| Review geofence templates | If applicable | Physical safety zones |
| Test circuit breaker | ✅ | Verify e-stop behavior before deployment |
Report vulnerabilities to team@sint.gg. We follow responsible disclosure and aim to respond within 48 hours.